2.2.1.2 Account Lockout Policies
This section defines settings that specify the configuration of account lockout duration. The ABNF for valid keys that represent such policies MUST be as follows.
-
Key = "LockoutBadCount" / "ResetLockoutCount" / "LockoutDuration" / "ForceLogoffWhenHourExpire" Value = 1*10DIGIT
The following table provides an explanation for each of the valid key values.
Note All numerical values are decimal unless explicitly specified otherwise or preceded by 0x.
Setting key |
Explanation |
---|---|
ForceLogoffWhenHourExpire |
This setting controls whether SMB client sessions with the SMB server will be forcibly disconnected when the client's logon hours expire. If a nonzero value is specified, the policy is enabled. |
LockoutDuration |
The number of minutes that a locked-out account MUST remain locked out before automatically becoming unlocked. The value MUST be either -1 or in the range 1 to 99,999. If the account lockout duration value is set to negative 1, the account MUST be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration MUST be greater than or equal to the reset time, ResetLockoutCount. This setting only has meaning when an account lockout threshold is specified. |
LockoutBadCount |
Number of failed logon attempts after which a user account MUST be locked out. A locked-out account MUST NOT be allowed to log on until it is reset by an administrator or until the lockout duration for the account has expired. The value MUST be between 0 and 2^16. A value of 0 indicates that the account MUST not be locked out. |
ResetLockoutCount |
Number of minutes after a failed logon attempt that the account MUST be locked out. The value MUST be in the range -2^32 to 2^32. If the value is negative or zero, then no reset time is enforced. If a positive account lockout threshold is defined, this reset time MUST be less than or equal to the account lockout duration, LockoutDuration. |